Eric Lee / smarc-fsl-linux-kernel

27 Aug, 2011

1 commit

20 Aug, 2010

1 commit

24 Jun, 2010

1 commit

12 Jan, 2010

1 commit

  • d218d1113   tcp: Generalized TTL Security Mechanism ... Browse Code »

    This patch adds the kernel portions needed to implement
    RFC 5082 Generalized TTL Security Mechanism (GTSM).
    It is a lightweight security measure against forged
    packets causing DoS attacks (for BGP).

    This is already implemented the same way in BSD kernels.
    For the necessary Quagga patch
    http://www.gossamer-threads.com/lists/quagga/dev/17389

    Description from Cisco
    http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html

    It does add one byte to each socket structure, but I did
    a little rearrangement to reuse a hole (on 64 bit), but it
    does grow the structure on 32 bit

    This should be documented on ip(4) man page and the Glibc in.h
    file also needs update. IPV6_MINHOPLIMIT should also be added
    (although BSD doesn't support that).

    Only TCP is supported, but could also be added to UDP, DCCP, SCTP
    if desired.

    Signed-off-by: Stephen Hemminger
    Signed-off-by: David S. Miller

    Stephen Hemminger
     

05 Nov, 2009

1 commit

  • d94d9fee9   net: cleanup include/linux ... Browse Code »

    This cleanup patch puts struct/union/enum opening braces,
    in first line to ease grep games.

    struct something
    {

    becomes :

    struct something {

    Signed-off-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Eric Dumazet
     

02 Jun, 2009

1 commit

  • f771bef98   ipv4: New multicast-all socket option ... Browse Code »

    After some discussion offline with Christoph Lameter and David Stevens
    regarding multicast behaviour in Linux, I'm submitting a slightly
    modified patch from the one Christoph submitted earlier.

    This patch provides a new socket option IP_MULTICAST_ALL.

    In this case, default behaviour is _unchanged_ from the current
    Linux standard. The socket option is set by default to provide
    original behaviour. Sockets wishing to receive data only from
    multicast groups they join explicitly will need to clear this
    socket option.

    Signed-off-by: Nivedita Singhvi
    Signed-off-by: Christoph Lameter
    Acked-by: David Stevens
    Signed-off-by: David S. Miller

    Nivedita Singhvi
     

17 Nov, 2008

1 commit

  • e8b2dfe9b   TPROXY: implemented IP_RECVORIGDSTADDR socket option ... Browse Code »

    In case UDP traffic is redirected to a local UDP socket,
    the originally addressed destination address/port
    cannot be recovered with the in-kernel tproxy.

    This patch adds an IP_RECVORIGDSTADDR sockopt that enables
    a IP_ORIGDSTADDR ancillary message in recvmsg(). This
    ancillary message contains the original destination address/port
    of the packet being received.

    Signed-off-by: Balazs Scheidler
    Signed-off-by: David S. Miller

    Balazs Scheidler
     

01 Oct, 2008

1 commit

18 Mar, 2008

1 commit

29 Jan, 2008

4 commits

  • 1e637c74b   [IPV4]: Enable use of 240/4 address space. ... Browse Code »

    This short patch modifies the IPv4 networking to enable use of the
    240.0.0.0/4 (aka "class-E") address space as propsed in the internet
    draft draft-fuller-240space-00.txt.

    Signed-off-by: Jan Engelhardt
    Acked-by: YOSHIFUJI Hideaki
    Signed-off-by: David S. Miller

    Jan Engelhardt
     
  • 2d4d29802   [IPV4]: Remove unused IPV4TYPE macros ... Browse Code »

    Signed-off-by: Joe Perches
    Signed-off-by: David S. Miller

    Joe Perches
     
  • 2658fa803   [IPV4]: Create ipv4_is_<type>(__be32 addr) functions ... Browse Code »

    Change IPV4 specific macros LOOPBACK MULTICAST LOCAL_MCAST BADCLASS
    and ZERONET macros to inline functions ipv4_is_(__be32 addr)

    Adds type safety and arguably some readability.

    Changes since last submission:

    Removed ipv4_addr_octets function
    Used hex constants
    Converted recently added rfc3330 macros

    Signed-off-by: Joe Perches
    Signed-off-by: David S. Miller

    Joe Perches
     
  • c7dc89c0a   [IPV6]: Add RFC4214 support ... Browse Code »

    This patch includes support for the Intra-Site Automatic Tunnel
    Addressing Protocol (ISATAP) per RFC4214. It uses the SIT
    module, and is configured using extensions to the "iproute2"
    utility. The diffs are specific to the Linux 2.6.24-rc2 kernel
    distribution.

    This version includes the diff for ./include/linux/if.h which was
    missing in the v2.4 submission and is needed to make the
    patch compile. The patch has been installed, compiled and
    tested in a clean 2.6.24-rc2 kernel build area.

    Signed-off-by: Fred L. Templin
    Signed-off-by: YOSHIFUJI Hideaki
    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Fred L. Templin
     

26 Apr, 2007

1 commit

  • 628a5c561   [INET]: Add IP(V6)_PMTUDISC_RPOBE ... Browse Code »

    Add IP(V6)_PMTUDISC_PROBE value for IP(V6)_MTU_DISCOVER. This option forces
    us not to fragment, but does not make use of the kernel path MTU discovery.
    That is, it allows for user-mode MTU probing (or, packetization-layer path
    MTU discovery). This is particularly useful for diagnostic utilities, like
    traceroute/tracepath.

    Signed-off-by: John Heffner
    Signed-off-by: David S. Miller

    John Heffner
     

03 Dec, 2006

1 commit

  • ba4e58eca   [NET]: Supporting UDP-Lite (RFC 3828) in Linux ... Browse Code »

    This is a revision of the previously submitted patch, which alters
    the way files are organized and compiled in the following manner:

    * UDP and UDP-Lite now use separate object files
    * source file dependencies resolved via header files
    net/ipv{4,6}/udp_impl.h
    * order of inclusion files in udp.c/udplite.c adapted
    accordingly

    [NET/IPv4]: Support for the UDP-Lite protocol (RFC 3828)

    This patch adds support for UDP-Lite to the IPv4 stack, provided as an
    extension to the existing UDPv4 code:
    * generic routines are all located in net/ipv4/udp.c
    * UDP-Lite specific routines are in net/ipv4/udplite.c
    * MIB/statistics support in /proc/net/snmp and /proc/net/udplite
    * shared API with extensions for partial checksum coverage

    [NET/IPv6]: Extension for UDP-Lite over IPv6

    It extends the existing UDPv6 code base with support for UDP-Lite
    in the same manner as per UDPv4. In particular,
    * UDPv6 generic and shared code is in net/ipv6/udp.c
    * UDP-Litev6 specific extensions are in net/ipv6/udplite.c
    * MIB/statistics support in /proc/net/snmp6 and /proc/net/udplite6
    * support for IPV6_ADDRFORM
    * aligned the coding style of protocol initialisation with af_inet6.c
    * made the error handling in udpv6_queue_rcv_skb consistent;
    to return `-1' on error on all error cases
    * consolidation of shared code

    [NET]: UDP-Lite Documentation and basic XFRM/Netfilter support

    The UDP-Lite patch further provides
    * API documentation for UDP-Lite
    * basic xfrm support
    * basic netfilter support for IPv4 and IPv6 (LOG target)

    Signed-off-by: Gerrit Renker
    Signed-off-by: David S. Miller

    Gerrit Renker
     

04 Oct, 2006

1 commit

  • 0a69452cb   [XFRM]: BEET mode ... Browse Code »

    This patch introduces the BEET mode (Bound End-to-End Tunnel) with as
    specified by the ietf draft at the following link:

    http://www.ietf.org/internet-drafts/draft-nikander-esp-beet-mode-06.txt

    The patch provides only single family support (i.e. inner family =
    outer family).

    Signed-off-by: Diego Beltrami
    Signed-off-by: Miika Komu
    Signed-off-by: Herbert Xu
    Signed-off-by: Abhinav Pathak
    Signed-off-by: Jeff Ahrenholz
    Signed-off-by: David S. Miller

    Diego Beltrami
     

29 Sep, 2006

1 commit

23 Sep, 2006

2 commits

21 Mar, 2006

1 commit

  • 2c7946a7b   [SECURITY]: TCP/UDP getpeersec ... Browse Code »

    This patch implements an application of the LSM-IPSec networking
    controls whereby an application can determine the label of the
    security association its TCP or UDP sockets are currently connected to
    via getsockopt and the auxiliary data mechanism of recvmsg.

    Patch purpose:

    This patch enables a security-aware application to retrieve the
    security context of an IPSec security association a particular TCP or
    UDP socket is using. The application can then use this security
    context to determine the security context for processing on behalf of
    the peer at the other end of this connection. In the case of UDP, the
    security context is for each individual packet. An example
    application is the inetd daemon, which could be modified to start
    daemons running at security contexts dependent on the remote client.

    Patch design approach:

    - Design for TCP
    The patch enables the SELinux LSM to set the peer security context for
    a socket based on the security context of the IPSec security
    association. The application may retrieve this context using
    getsockopt. When called, the kernel determines if the socket is a
    connected (TCP_ESTABLISHED) TCP socket and, if so, uses the dst_entry
    cache on the socket to retrieve the security associations. If a
    security association has a security context, the context string is
    returned, as for UNIX domain sockets.

    - Design for UDP
    Unlike TCP, UDP is connectionless. This requires a somewhat different
    API to retrieve the peer security context. With TCP, the peer
    security context stays the same throughout the connection, thus it can
    be retrieved at any time between when the connection is established
    and when it is torn down. With UDP, each read/write can have
    different peer and thus the security context might change every time.
    As a result the security context retrieval must be done TOGETHER with
    the packet retrieval.

    The solution is to build upon the existing Unix domain socket API for
    retrieving user credentials. Linux offers the API for obtaining user
    credentials via ancillary messages (i.e., out of band/control messages
    that are bundled together with a normal message).

    Patch implementation details:

    - Implementation for TCP
    The security context can be retrieved by applications using getsockopt
    with the existing SO_PEERSEC flag. As an example (ignoring error
    checking):

    getsockopt(sockfd, SOL_SOCKET, SO_PEERSEC, optbuf, &optlen);
    printf("Socket peer context is: %s\n", optbuf);

    The SELinux function, selinux_socket_getpeersec, is extended to check
    for labeled security associations for connected (TCP_ESTABLISHED ==
    sk->sk_state) TCP sockets only. If so, the socket has a dst_cache of
    struct dst_entry values that may refer to security associations. If
    these have security associations with security contexts, the security
    context is returned.

    getsockopt returns a buffer that contains a security context string or
    the buffer is unmodified.

    - Implementation for UDP
    To retrieve the security context, the application first indicates to
    the kernel such desire by setting the IP_PASSSEC option via
    getsockopt. Then the application retrieves the security context using
    the auxiliary data mechanism.

    An example server application for UDP should look like this:

    toggle = 1;
    toggle_len = sizeof(toggle);

    setsockopt(sockfd, SOL_IP, IP_PASSSEC, &toggle, &toggle_len);
    recvmsg(sockfd, &msg_hdr, 0);
    if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
    cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
    if (cmsg_hdr->cmsg_len cmsg_level == SOL_IP &&
    cmsg_hdr->cmsg_type == SCM_SECURITY) {
    memcpy(&scontext, CMSG_DATA(cmsg_hdr), sizeof(scontext));
    }
    }

    ip_setsockopt is enhanced with a new socket option IP_PASSSEC to allow
    a server socket to receive security context of the peer. A new
    ancillary message type SCM_SECURITY.

    When the packet is received we get the security context from the
    sec_path pointer which is contained in the sk_buff, and copy it to the
    ancillary message space. An additional LSM hook,
    selinux_socket_getpeersec_udp, is defined to retrieve the security
    context from the SELinux space. The existing function,
    selinux_socket_getpeersec does not suit our purpose, because the
    security context is copied directly to user space, rather than to
    kernel space.

    Testing:

    We have tested the patch by setting up TCP and UDP connections between
    applications on two machines using the IPSec policies that result in
    labeled security associations being built. For TCP, we can then
    extract the peer security context using getsockopt on either end. For
    UDP, the receiving end can retrieve the security context using the
    auxiliary data mechanism of recvmsg.

    Signed-off-by: Catherine Zhang
    Acked-by: James Morris
    Acked-by: Herbert Xu
    Signed-off-by: David S. Miller

    Catherine Zhang
     

30 Aug, 2005

1 commit

  • 7c657876b   [DCCP]: Initial implementation ... Browse Code »

    Development to this point was done on a subversion repository at:

    http://oops.ghostprotocols.net:81/cgi-bin/viewcvs.cgi/dccp-2.6/

    This repository will be kept at this site for the foreseable future,
    so that interested parties can see the history of this code,
    attributions, etc.

    If I ever decide to take this offline I'll provide the full history at
    some other suitable place.

    Signed-off-by: Arnaldo Carvalho de Melo
    Signed-off-by: David S. Miller

    Arnaldo Carvalho de Melo
     

17 Apr, 2005

1 commit

  • 1da177e4c   Linux-2.6.12-rc2 ... Browse Code »

    Initial git repository build. I'm not bothering with the full history,
    even though we have it. We can create a separate "historical" git
    archive of that later if we want to, and in the meantime it's about
    3.2GB when imported into git - space that would just make the early
    git days unnecessarily complicated, when we don't have a lot of good
    infrastructure for it.

    Let it rip!

    Linus Torvalds